Jim M Posted April 20 Posted April 20 11 minutes ago, Svetozar Angelov said: Despite all the measures taken Unfortunately, I do not see that you have seen all measures taken. 13 minutes ago, Svetozar Angelov said: I'm sure you have a bug in IPS that occurred after an update from the beginning of March. Our problems continue. 😣 Unfortunately, without an example, we cannot review that. However, I looked at the user who you just recently banned in your administrator log, and they have indeed been a part of a data breach of non-IPS sites. You can use https://haveibeenpwned.com/ to check their email and see if their password(s) have been exposed from other website breaches.
TracyIsland Posted April 20 Posted April 20 On 4/18/2024 at 11:31 AM, Jim M said: Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account. Our community was hit with a huge number of spam registrations in March. See the Tsunami topic. Some of the registrations got through while most were in a pending status (we use aMember for our current 3.3.4 board - register externally and then SSO). Whether the registration got through or sat in the pending status (awaiting email validation), we had to evaluate the domain name of each registration. If it was xx@buildingsupplies.com, we banned that domain because we want our community to have personal email addresses. But many of the registrations had domain extensions like me.com, gmail.com, outlook.com, hotmail.com, aol.com with real names attached. We couldn't ban those domains so we checked the registration to see if the username and the first name and last name were all the same. If yes, then we deleted the registration. All this to say it was an eye opener to see just how many real personal email accounts had been obtained on the dark web. Maybe start compiling a list of the email addresses from accounts that you are deleting, and perhaps see if they compare to the IPS banned list? Also, notate the date of registration? These suggestions are along the lines of what the IPS staff is suggesting, that these bad apples snuck in months ago. One thing we do that helps to verify a registration is include a few additional registration fields: Country, State, City ... so we look at that information in the real registration or the pending registration and if the fields don't agree, that's a first flag, and if needed, we check the IP address of the origin and if that IP address location doesn't agree with the Country, that's another red flag. If these spammers have the login access to the actual email accounts which I think is what Jim M is inferring in the quote, then there doesn't seem to be anything you can do other than to ban that specific email address. Svetozar Angelov 1
Svetozar Angelov Posted April 21 Posted April 21 14 hours ago, Jim M said: Unfortunately, I do not see that you have seen all measures taken. Unfortunately, without an example, we cannot review that. However, I looked at the user who you just recently banned in your administrator log, and they have indeed been a part of a data breach of non-IPS sites. You can use https://haveibeenpwned.com/ to check their email and see if their password(s) have been exposed from other website breaches. We have taken enough measures, I ask that you now take measures and look very carefully at the code from the beginning of March, because we have not had such problems before. It is clear that precisely from this period the problems with spammers on the IPS platform started massively. I can't sit all day and clean the forum of spammers after the version is paid for and obviously the problem is yours. G17 Media 1
Randy Calvert Posted April 21 Posted April 21 (edited) 1 hour ago, Svetozar Angelov said: We have taken enough measures, I ask that you now take measures and look very carefully at the code from the beginning of March, because we have not had such problems before. It is clear that precisely from this period the problems with spammers on the IPS platform started massively. I can't sit all day and clean the forum of spammers after the version is paid for and obviously the problem is yours. Ummm I hope you realize IPS does this already as part of its software release process. This includes dynamic and static code scanning. IPS also has its software reviewed on a regular basis by 3rd party security companies. In addition the software is used by MANY large corporate customers who do their own independent testing in order to use it in their environment. So sitting here stomping your feet and simply saying it’s some random problem “somewhere” in the software is simply shows that you are uninformed. There have been recommendations provided on how to improve blocking spam including using hCaptcha (where you can also increase its difficulty), requiring your users to use 2FA, and others. Spam is a problem EVERYWHERE on the internet and is a cat/mouse game. If someone has an account somewhere else compromised and uses the same credentials on your site, that is NOT a problem in the software. It’s a user problem for being stupid and using a credential in multiple places. That’s why it’s important to use things like 2FA to prevent a malicious actor from getting a password from somewhere else. By the way… did you know most large banks despite having FANTASTIC cyber security have on average over 3000 compromised accounts a month? Thats despite spending hundreds of millions of dollars a month on security tools that small site owners can only dream about. If this is a challenge for them with literally dozens to hundreds of dedicated cyber security experts and budgets in the millions of dollars… how realistic is it for “the rest of us”? Edited April 21 by Randy Calvert Jim M 1
Jim M Posted April 21 Posted April 21 7 hours ago, Svetozar Angelov said: We have taken enough measures, I ask that you now take measures and look very carefully at the code from the beginning of March, because we have not had such problems before. It is clear that precisely from this period the problems with spammers on the IPS platform started massively. I can't sit all day and clean the forum of spammers after the version is paid for and obviously the problem is yours. As Randy, us, and others mentioned several times through these conversations, spam is a walk of life on the internet and odds are you will never be able to 100% combat it. It also comes in cycles. Points that are high, turn to lows as people adapt spam measures and combat spam accounts or our spam defense grows aware of individuals, etc... However, our methods posted here will make it significantly less annoying and to a degree remove it from being a daily hassle. As Randy mentioned, we take significant measures with each release to ensure that we release the best software possible to our customers. We have mentioned several times in this topic that we're happy to look at what you're seeing but we have not gotten a specific example. We have, however, looked at a recent example of a banned member and they have compromised email/password combinations from other websites around the web (non-IPS) so that would explain how a malicious-intended spammer could gain access directly, with no brute force. If this is not an active member, banning them, as you've done, is the right measure. If it is an active member, you may wish to change their password and contact them. However, it could be that the spammer/attacker has access to their email inbox so be mindful of that. If you would like us to take another look at another example or have a further complex example than just a username, please feel free to us the Contact Us form at the bottom of each page and we'll be happy to take a look.
Svetozar Angelov Posted April 21 Posted April 21 22 hours ago, TracyIsland said: Our community was hit with a huge number of spam registrations in March. See the Tsunami topic. Some of the registrations got through while most were in a pending status (we use aMember for our current 3.3.4 board - register externally and then SSO). Whether the registration got through or sat in the pending status (awaiting email validation), we had to evaluate the domain name of each registration. If it was xx@buildingsupplies.com, we banned that domain because we want our community to have personal email addresses. But many of the registrations had domain extensions like me.com, gmail.com, outlook.com, hotmail.com, aol.com with real names attached. We couldn't ban those domains so we checked the registration to see if the username and the first name and last name were all the same. If yes, then we deleted the registration. All this to say it was an eye opener to see just how many real personal email accounts had been obtained on the dark web. Maybe start compiling a list of the email addresses from accounts that you are deleting, and perhaps see if they compare to the IPS banned list? Also, notate the date of registration? These suggestions are along the lines of what the IPS staff is suggesting, that these bad apples snuck in months ago. One thing we do that helps to verify a registration is include a few additional registration fields: Country, State, City ... so we look at that information in the real registration or the pending registration and if the fields don't agree, that's a first flag, and if needed, we check the IP address of the origin and if that IP address location doesn't agree with the Country, that's another red flag. If these spammers have the login access to the actual email accounts which I think is what Jim M is inferring in the quote, then there doesn't seem to be anything you can do other than to ban that specific email address. It's good that you're taking a stand in the conversation without knowing what it's about at all. It is good that before you write things that do not concern me about banking spam, you should carefully read what the problem is, which I will describe again for the slow under-stander. The problem is from the month of March, affecting many forums and colleagues, and before that we did not have such a problem before the last update. The breach is on existing accounts that actively participate in the forum. If it's spam/bot it will come in and spam the whole forum in minutes. How to prevent users who are active from changing their passwords. That, of course, didn't help. Now I have logged out all users at once and request all of them to reset their PW. How coincidental that many colleagues who are customers of IPS have had this problem since March. Probably the spam/bots have agreed to do this since March. What we suspect, along with a lot of people, is that the IPS are telling us generalities without really understanding the issue, which is a breach with the March security update, and they're probably buying time to figure out exactly what's going on.
Jim M Posted April 21 Posted April 21 12 minutes ago, Svetozar Angelov said: What we suspect, along with a lot of people, is that the IPS are telling us generalities without really understanding the issue, which is a breach with the March security update, and they're probably buying time to figure out exactly what's going on. As mentioned, please provide an example and we'd be happy to investigate further your particular case. However, what we have seen on your website is not a breach on your community or in our software but we're happy, of course, to confirm that with a specific example user.
Svetozar Angelov Posted April 21 Posted April 21 14 minutes ago, Jim M said: As mentioned, please provide an example and we'd be happy to investigate further your particular case. However, what we have seen on your website is not a breach on your community or in our software but we're happy, of course, to confirm that with a specific example user. Can you specifically say what exactly you have seen on our forum that makes you think the problem is not with your software.
Randy Calvert Posted April 21 Posted April 21 10 minutes ago, Svetozar Angelov said: Can you specifically say what exactly you have seen on our forum that makes you think the problem is not with your software. IPS has literally thousands of customers ranging from international brands to small hobby sites. If this was a big hole in the software that happened in the March update, there would be a huge flood of customers suddenly posting about it. Let me turn that back around on you… Why do you think it’s a problem with the software suddenly when there has not been a change in others having a similar issue? And in looking at the change notes, nothing in it would impact what you are reporting. You are blaming the software update because this happened afterwards but that can simply be causality. Just because something happened around that time does not mean it is what caused the situation. Also let’s think about this for a moment… if a spammer could just take over any account on your site, why would they not target important accounts? Why not target admin or moderators? They could mass change content and do significantly more “damage” that way. They would also be able to bypass any sort of restrictions such as post approval or content moderation. They dont have access to specific or exact members. They’ve either gotten a credential from somewhere else or they registered the account themselves a while back and working back to using it now. Jim M 1
Jim M Posted April 21 Posted April 21 45 minutes ago, Svetozar Angelov said: Can you specifically say what exactly you have seen on our forum that makes you think the problem is not with your software. At a basic level, we are not seeing any direct logs, errors, brute force attempts, etc... The user in question logged straight in which can only be done with having the credentials. The email on the most recent user which you banned also has had passwords exposed from different other, non-IPS websites. Which is why we're asking for further examples of why you believe it to be an issue with the software. It isn't pointing that way but of course, if you have further information, we're happy to explore it. 22 minutes ago, Randy Calvert said: they not target important accounts? Why not target admin or moderators? Also, what Randy is stating here, they would not just attack normal members hold no importance significance to the community who can be deleted/banned/etc.... They would want to do more damage, gain more exposure, etc... G17 Media 1
TracyIsland Posted April 21 Posted April 21 1 hour ago, Svetozar Angelov said: It's good that you're taking a stand in the conversation without knowing what it's about at all. It is good that before you write things that do not concern me about banking spam, you should carefully read what the problem is, which I will describe again for the slow under-stander. The problem is from the month of March, affecting many forums and colleagues, and before that we did not have such a problem before the last update. The breach is on existing accounts that actively participate in the forum. If it's spam/bot it will come in and spam the whole forum in minutes. How to prevent users who are active from changing their passwords. That, of course, didn't help. Now I have logged out all users at once and request all of them to reset their PW. How coincidental that many colleagues who are customers of IPS have had this problem since March. Probably the spam/bots have agreed to do this since March. What we suspect, along with a lot of people, is that the IPS are telling us generalities without really understanding the issue, which is a breach with the March security update, and they're probably buying time to figure out exactly what's going on. you're right. I don't know what I'm talking about. I hope you can find a resolution.
Svetozar Angelov Posted April 21 Posted April 21 4 hours ago, Randy Calvert said: IPS has literally thousands of customers ranging from international brands to small hobby sites. If this was a big hole in the software that happened in the March update, there would be a huge flood of customers suddenly posting about it. Exactly. It's not a big hole, it's a small hole that exists super annoyingly on a paid platform. When there is a problem, it should be canceled, not determined how big it is. Isn't that what we pay for? Do we have to totally crash the whole forum to accept a hole in the IPS software. Or are we writing on a WORD platform that is infested with spam? 4 hours ago, Randy Calvert said: Let me turn that back around on you… Why do you think it’s a problem with the software suddenly when there has not been a change in others having a similar issue? And in looking at the change notes, nothing in it would impact what you are reporting. Please, read carefully before writing. There are many people with this problem. Did you write the IPS software to assert if there are holes or not? How will you respond to an attack on user accounts only? Maybe spam bots are choosing between admins, moderators and regular members with emails? Or are you saying that admin emails are very special and absolutely secure? 4 hours ago, Randy Calvert said: IPS has literally thousands of customers ranging from international brands to small hobby sites. If this was a big hole in the software that happened in the March update, there would be a huge flood of customers suddenly posting about it. Exactly. It's not a big hole, it's a small hole that exists super annoyingly on a paid platform. When there is a problem, it should be canceled, not determined how big it is. Isn't that what we pay for? Do we have to totally crash the whole forum to accept a hole in the IPS software. Or are we writing on a WORD platform that is infested with spam? 4 hours ago, Randy Calvert said: Let me turn that back around on you… Why do you think it’s a problem with the software suddenly when there has not been a change in others having a similar issue? And in looking at the change notes, nothing in it would impact what you are reporting. Please, read carefully before writing. There are many people with this problem. Did you write the IPS software to assert if there are holes or not? How will you respond to an attack on user accounts only? Maybe spam bots are choosing between admins, moderators and regular members with emails? Or are you saying that admin emails are very special and absolutely secure?
Randy Calvert Posted April 21 Posted April 21 1 hour ago, Svetozar Angelov said: Please, read carefully before writing. There are many people with this problem. Did you write the IPS software to assert if there are holes or not? No, I did not write the software. I do not work for IPS. However I do work for one of it's large enterprise customers and I know for a fact that code has been subjected to some pretty serious scans before the company would allow it to be deployed outside of it's DMZ. This includes automated and manual code reviews and multiple types of pentesting. I also see these boards on a near daily basis and there is no difference of people complaining about spam following the March release than there has been literally over the last 10 years. There has not been any sort of large influx of hundreds of people saying "hey I'm seeing this now". As someone who has been around here when a "big" issue has occurred, there would be 10 pages of people posting about it. You would not be able to miss the flood. It would literally be the dominate issue of the month. 1 hour ago, Svetozar Angelov said: Exactly. It's not a big hole, it's a small hole that exists super annoyingly on a paid platform. The accusation you have made that attackers can just "take over" accounts is wildly huge that I don't think you fully understand what exactly you're implying here. If they can just take over random accounts, they could take over ANY account on the site including admins and that could lead to ANY and all data being able to be exfiltrated. It's not some "super annoying small hole" that you're stating. 1 hour ago, Svetozar Angelov said: How will you respond to an attack on user accounts only? There are multiple ways of investigating this. I would start with the investigation of each account. When was it created? (New accounts vs old accounts, etc.) How many "relevant" posts have been made by the user? (Spammers can create accounts 3 months ago and post a few "oh me too" or other "AI generated" reply. I have had one spam attack that would have 5 different accounts reply to each other with ChatGPT junk promoting links on 10 year old topics that got picked up in Google.) Has there been a REAL user with a history of posting? If so, how did they get the credential? Was the associated username or email in a database of known compromised credentials? Does the user have malware installed on their device? Has the user been through a password reset to a new password that is not known to be compromised but also compromised a second time? Again... I want you to think through this. If I'm a malicious actor and I can just randomly take control of any user account on your site, why am I going to pick a random user account and post spam that can be immediately seen/blocked/stopped? If they could do that, they would instead gain access to a privileged account and do other things such as gaining access to the ACP and embedding links into older posts that are not frequently seen but would be picked up by Google. I would be editing the theme's code to have someone visiting your site trigger ad code in the background where the user never even had to click a link. I would have harvested your complete member list and email address to spam all of your users. There are literally HUNDREDS of more valuable things I could be doing if there was something in the software I could exploit to gain control of a user account. They are simply making random spam posts as an attack of opportunity where they can either create an account themselves or have a credential obtained from elsewhere and use it because it's available. 1 hour ago, Svetozar Angelov said: Do we have to totally crash the whole forum to accept a hole in the IPS software. Or are we writing on a WORD platform that is infested with spam? Again, have you taken the advice given on here for reducing spam? For example: Are you using hCaptcha on the highest level? (To help reduce the impact of spam at time of registration?) Are you requiring user accounts to use 2FA? (This is so that if an account is compromised, the attacker would need not just the password but also access to a trusted user device for the one time code.) Do you ask questions on registration that would be difficult for spammers to figure out? (Hint... most bots can solve simple questions like "what is 1 plus one?". They need to be unique for your niche.) Are you forcing all users to reset their password if you think there is someone targeting your user base? Are you using other reputational services like CleanTalk? It can help which block registration of IPs and emails that have spammed not just forums but blogs, etc. There is no silver bullet for stopping spam. The attacks will come and go over time. There is not a single platform out there that does not deal with the problem. But you have many tools at your disposal to help you.
Daniel F Posted April 22 Posted April 22 59 minutes ago, Svetozar Angelov said: Could you tell me how to log in to the forum? You can disable MFA by setting the DISABLE_MFA constant to false in your constants.php file! if you’re hosted with us, please submit a ticket and we’ll take care of this Svetozar Angelov 1
Marc Posted April 22 Posted April 22 @Svetozar Angelov - Sorry to see you are having issues with spam here. I just wanted to pick up on where we are here, as there appears to be a lot of confusion, and I want to clear up where we are. We understand you have an issue with spam, and I feel you believe we are in some manner ignoring this. Let me assure you this is certainly not the case. You have stated there is a "Hole" here, without any evidence of this in any way. Just an assumption. While I understand the frustration, this isn't going to help your issue. We have no known security issues on the platform, and from what my colleague has seen so far, it seems the users are logging in and posting as normal, and they are standard users, who have logged in with a password. A few things to note on that. If they have logged in with the password, then they have the password. There is no way in which to get a users password on the software. To make this very clear. If I have access to your database directly, with your database credentials, and have full FTP access, I still could not obtain what a users password is on your system, due to the way the passwords are encypted. And they are encrypted with PHP methods useds throughout the internet (not only our software). Quite simply, nobody has gained the password of a user through your software. My colleague has also shown you there where to check if a user has had their details compromised on another site. Most users will use the same passwords across multiple sites. So if a site elsewhere has been hacked where their password can be identified, they have an email/password combination that may work on the site. Therefore they would simply be able to log in with those details. I'm sure you understand, thats not something we have any control over You can use 2 factor authentication for all users. There is unfortunately an issue with the google one at present that we are looking into, but you can use question and answers. This would force users to at least have another action to log in, meaning if someone does know the password, they may stumble at the question/answer stage We are more than happy to look at your settings to see what we can advise. But you do appear to be quite hostile toward people who are trying to help you. Both staff and other customers. I can only assume that is out of frustration. A frustration I can fully understand. But please do help us to help you. We are on your side, and do not like spam any more than you do 🙂 Svetozar Angelov and G17 Media 2
Svetozar Angelov Posted April 22 Posted April 22 28 minutes ago, Daniel F said: You can disable MFA by setting the DISABLE_MFA constant to false in your constants.php file! if you’re hosted with us, please submit a ticket and we’ll take care of this Yes, I understand this well, but I can't log into the forum because google authenticator is not working and has blocked access.
Marc Posted April 22 Posted April 22 1 hour ago, Svetozar Angelov said: Yes, I understand this well, but I can't log into the forum because google authenticator is not working and has blocked access. This is done from your file system, not your admin CP. So you create a file in the route directory named constants.php and add this <?php define('DISABLE_MFA', TRUE); This will disable the google authentication you are struggling with, so you can log in Svetozar Angelov and SeNioR- 1 1
Philooo Posted April 30 Posted April 30 Hallo, I regret to inform you that my forum has been facing the same problem for several weeks. The proliferation of testimonies over this same period is disturbing. In the case of my forum, it is often profiles that are 2-3-4 years old that are used, often profiles with low activity. The Spam messages are always identical: "Super Casual Dating - Genuine Ladies" which suggests that it is a robot... Disastrous for the image of the forum...
Jim M Posted April 30 Posted April 30 3 minutes ago, Philooo said: it is often profiles that are 2-3-4 years old that are used, often profiles with low activity. As mentioned several times in this topic, you will want to check to see if those email addresses have been compromised from other websites (non-IPS). You can look at https://haveibeenpwned.com/ Then take measures outlined in this topic.
Philooo Posted April 30 Posted April 30 Should we test the several tens of thousands of addresses of our members in this way??? Double auth is not generalized on the forums, if we implement it, our members will see this as a constraint that we _only_ impose on them and will turn away from us to go to other less "complex" forums to use. This issue is a real problem for our communities
Jim M Posted April 30 Posted April 30 12 minutes ago, Philooo said: Should we test the several tens of thousands of addresses of our members in this way??? It is provided as a means of what may have happened. Not a way to verify all. 12 minutes ago, Philooo said: This issue is a real problem for our communities As mentioned several times in the topic, the hole here isn't the software but rather the human. Humans are using the same credentials on multiple sites and one of those other sites (not associated to IPS) gets breached, their credentials are now known. Thus, these spammers are logging in. The way around this would be implore Two Factor Authentication because this requires another set of actions to log in. This won't help past users but will help in the future. The other option would be to force password resets to all members but there is no guarantee that your users will insert already breached credentials.
Randy Calvert Posted April 30 Posted April 30 (edited) By the way… this is a massive problem across the internet. It’s not an “IPB problem”. Ars Technica had a story about it yesterday and how this sort of activity is getting harder and harder to detect with compromised accounts. Check out: https://arstechnica.com/security/2024/04/everyday-devices-are-used-to-hide-ongoing-account-compromise-campaign/ Yes… this is a problem, but it’s not a flaw in the software. It’s a user issue. The only way to “fix” it is to either use 2FA or make users use unique passwords. There are technically other solutions as well, but they’re super expensive and are only really viable financially by very large sites such as tools like ThreatMetrix or Akamai Account Protector. Edited April 30 by Randy Calvert
Joel R Posted April 30 Posted April 30 5 hours ago, Philooo said: Hallo, I regret to inform you that my forum has been facing the same problem for several weeks. The proliferation of testimonies over this same period is disturbing. In the case of my forum, it is often profiles that are 2-3-4 years old that are used, often profiles with low activity. The Spam messages are always identical: "Super Casual Dating - Genuine Ladies" which suggests that it is a robot... Disastrous for the image of the forum... This is not a perfect solve, but set up Word Filters for keywords. Also: - Prepare and warn your moderator team. They can mark users as Spam. - Change your registration and security challenges (especially hcaptcha to the highest setting) - Drink lots of alcohol 🥃 I dealt with the spam wave back in October: https://invisioncommunity.com/forums/topic/474157-site-being-overun-by-spammers/?do=findComment&comment=2956377
Marc Posted May 1 Posted May 1 @Philooo - Its worth noting here that switching to email login is advised, and has been for quite some time in your admin CP. If you are using display name, then half the login details are essentially already known.
Recommended Posts